Tap on Phone Implementation Guide April 2021

1: Overview ...... 3

1.1 What is Tap on Phone? ...... 3

1.2 Who is this guide for? ...... 3

1.3 What is this guide intended for? ...... 3

2: Process ...... 4

2.1 PCI timeline ...... 4

2.2 Suggested market criteria...... 4

2.3 Solution options ...... 4

2.4 Certification step details ...... 5

3: FAQs ...... 9

3.1 General ...... 9

3.2 Certification and development ...... 9

3.3 Merchant-focused ...... 11

3.4 Pilots ...... 11

4: Glossary ...... 13

5: Resources ...... 14

© 2021 Mastercard. Proprietary and Confidential. | 2 1: Overview 1.1 What is Tap on Phone? Tap on Phone (ToP) is a contactless acceptance solution that is low cost, low maintenance, and peripheral-free for merchants. Tap on Phone can support NFC-enabled mobile devices1 to function as point-of-sale devices that accept contactless electronic payments (i.e. contactless cards, mobile wallets, wearables). • Tap on Phone can be deployed on many devices with an embedded NFC antenna that allows read/write functionality (e.g. Android operating systems). • Merchants can download a dedicated Tap on Phone app. After initializing the app and completing account set up, merchants can complete test transactions to confirm readiness for accepting contactless payments. • At the time of purchase, the merchant will open the Tap on Phone app and enters the purchase amount. The customer will then tap their contactless card or device against the NFC antenna on the merchant’s mobile device. Once the purchase is complete, the merchant can send an SMS or email receipt to the customer or print the receipt using an external printer. • Tap on Phone transactions are protected using the same security and encryption technology offered with EMV® chip cards throughout the world, and they use the same switching process as traditional POS transactions. See the Tap on Phone Merchant Guide in the Resources section of this document on page 14 to learn more about Tap on Phone use cases, benefits and overall functionality. 1.2 Who is this guide for? This guide is for any entity that develops, deploys or uses Tap on Phone solutions, including: • Acquirers, payment facilitators, and solution providers. • NFC-enabled mobile device manufacturers and OS developers that will host Tap on Phone apps. • Merchants who use or are interested in using Tap on Phone solutions, including those who have a direct relationship with a Mastercard acquirer. • Sub-merchants who use the services of a payment facilitator. • Issuers and others in the payment industry interested in Tap on Phone. 1.3 What is this guide intended for? This guide is intended to define the components of a Tap on Phone solution and provide guidance on how to enable and begin distributing a secure solution. • Tap on Phone solutions are built around three solution elements: the merchant’s existing NFC-enabled mobile device (COTS device), a Tap on Phone payment application (PCI CPoC™ application), and a back-end environment that engages in attestation, monitoring, and payment processing as part of the solution. • The integrity of both the Tap on Phone payment application on the mobile device and on the host system are critically important to maintaining the security of transaction data and to helping prevent data compromise incidents. • All Tap on Phone solutions must comply with PCI CPoC standards and relevant EMVCo and Mastercard testing requirements.

1. Mobile device is referred to as COTS in PCI standards for Tap on Phone without PIN. Please refer to the glossary on page 13 for COTS definition.

Dec 2019: Tap on Phone Tap on Phone Tap on Phone with PIN without PIN [PCI CPoC] without PIN business standards anticipated standards published as usual [PCI CPoC] by 2H'22 [Tap +PIN]

2019 2020 2021 2022

2020-2021: Commercial rollouts of Tap on Development and pilots for Phone without PIN [PCI CPoC] and Tap on Phone without PIN Mastercard pilots for Tap on Phone with PIN [PCI CPoC] in advance of industry standards

Timeline Considerations ✓ Mastercard Commercialization of PCI CPoC: • Following the publication and after a preparation period, PCI recognized CPoC laboratories will start evaluating solutions under the new CPoC standard. Any solution that successfully meets these standards will be listed as an approved PCI CPoC Solution by the PCI Council, listed on the PCI Council website and enabled for full commercialization. Mastercard will continue supporting providers and innovators around the world with guidance and best practices. *For pilot considerations, click here. 2.2 Suggested market criteria When considering which markets to deploy Tap on Phone to, the following assessment criteria and rationale may be helpful:

NFC-enabled mobile device is required as acceptance High smartphone penetration device for Tap on Phone transactions Contactless cards and devices are required to make High contactless card and device penetration Tap on Phone payments.

2.3 Solution options Below are options for entities looking to develop or deploy a Tap on Phone solution: 1. PCI-Compliant Commercial Solution [Tap on Phone without PIN: PCI CPoC]: Develop and certify proprietary solution against published PCI CPoC standard. 2. Engage with Approved Vendor [Tap on Phone without PIN: PCI CPoC]: Commercial agreement with vendor that offers an approved PCI CPoC solution. 3. Pilot [Tap on Phone with PIN: Tap +PIN]: Pre-PCI industry standard availability of support for PIN with PCI CPoC solutions.

Solution Options 1. PCI Approved CPoC 2. Engage with 3. Pilot Commercial Solution Approved Vendor [Tap +PIN]

Step 1: N/A Contactless License

Step 2: L1 EMVCo EMVCo is working on defining an evaluation process for MPOS. In the meantime, Acquirers will need to receive a waiver from Mastercard. See Step 2 of the certification details for more information.

Step 3: L2 Mastercard *

Step 4:

PCI CPoC Security * ** Evaluation

Step 5: N/A N/A Pilot agreement

Step 6: M-TIP

*Engage with your chosen approved vendor/Mastercard MPOS team to determine whether additional certification reviews apply.

**Pilots for CPoC with PIN requires security evaluation against Tap +PIN security principles by Mastercard accredited labs. 2.4 Certification step details Step 1: Contactless License Contactless License: A vendor or solution provider that is interested in undertaking a contactless project like Tap on Phone with Mastercard must first obtain a Contactless License (or have an existing license that covers the proposed activity). Vendors are required to enter into a license agreement with Mastercard before developing and selling contactless-enabled equipment. All cards, devices, and readers used for performing contactless transactions must be approved and licensed by Mastercard prior to their use. For more details on this, please reach out to contactless@mastercard.com.

1. Enrollment Form Solution Provider Submits: 2. Contactless License agreement (once step 1 is complete)

Solution Provider Receives: Contactless License

Notes: • For further partnership with Mastercard on the development of the solution, please contact [email protected].

For Pilots Only: Vendors/solution providers that receive (or already have) the required contactless license and have successfully registered their solutions can receive further support from Mastercard in the form of a tailored Pilot Project Plan and a designated Pilot Project Support Team. Mastercard Pilot support includes: • Internal MA task force set up to ensure pilot success • Pilot project plan created to track status of pilot • Development and certification expert support • Feedback collection Step 2: Level 1 Testing (EMVCo) EMVCo is currently discussing the future criteria for Tap on Phone solutions and working on defining an evaluation process for MPOS. A waiver process is being developed, please contact [email protected].

Notes: • All solutions must meet EMVCo contactless standards. Please reference the architecture and general requirements document on the EMVCo website. • Contactless Level 1 testing is a requirement for NFC-enabled solutions. The waiver process is being developed, details available soon. • EMVCo recently announced an Early Adopter Programme to support evaluating COTS devices for contactless payment acceptance against the EMV Contactless Interface Specification. Additional details on the program are available on the EMVCo website. Step 3: Level 2 Testing (Mastercard accredited functional laboratories) Solution providers are advised that Step 3 and Step 4 below can and, when possible, should be done concurrently. Below is a breakdown of the Level 2 contactless kernel approval process: 1. Contact the Mastercard Approvals Chip Certification Acceptance Devices team by sending an email to [email protected]. The provider will receive a Tap on Phone Registration form called ICS (Implementation Conformity Statement) and related Level 2 functional approval documentations. 2. The provider will send back the Tap on Phone Registration form and the Mastercard Approvals team will assign a registration number and send a related test plan called TEPS (Terminal Evaluation Plan Summary). 3. Vendor sends TEPS to their chosen accredited lab for L2 testing. Once complete, the lab issues a test report to Mastercard and the vendor/solution provider. 4. Mastercard reviews and assesses results.

Registration form to [email protected] Solution Provider Submits: The Registration Form, Test Plan and a Tap on Phone solution to be tested by chosen lab

Solution Provider Receives: Functional Test Assessment Summary (TAS)

For a list of labs that are currently accredited by Mastercard for L2 testing of Tap on Phone solutions contact [email protected].

Notes: • All solutions must comply with the latest Mastercard contactless reader specifications, all test environment requirements and all applicable performance and implementation requirements (response times, visual and audio indications etc.). This can be found on Mastercard Connect® > Chip and Chip-related Publications or by contacting [email protected]. • Solutions going through Level 2 functional testing must be identical to the solutions submitted to the PCI CPoC Security Evaluation. • Any functional changes to the Tap on Phone solution that are done after functional approval shall be assessed by [email protected].

Step 4: PCI CPoC Security Evaluation 1. Tap on Phone [PCI CPoC] solutions ONLY: Following publication of the PCI CPoC standard by the PCI Council in December 2019, all solution providers of Tap on Phone [PCI CPoC] Solutions are required to submit their solutions to a PCI recognized CPoC security laboratory for evaluation per the PCI CPoC standard. A list of PCI recognized security laboratories is available on the PCI website. 2. Tap on Phone with PIN [Tap +PIN] solutions ONLY: We are supporting ToP with PIN pilots and Mastercard-approved laboratories will continue evaluating any ToP with PIN solution under the Mastercard Security Principles document (“Embedded Contactless Reading with PIN for MPOS Pilots”). Baseline CPoC compliance for Tap +PIN pilots is not expected but is recommended as it might enable solution providers to go to market faster once PCI standards for Tap +PIN are in place.

For a list of PCI recognized labs, please visit the PCI website. For additional labs, please email [email protected]. In order to facilitate the evaluation process prior to the actual testing of the solution, security laboratories may offer solution vendors and providers the following services: 1. Guidance on designing POIs that meet PCI CPoC security requirements 2. Review of the vendors POI design, responses to questions via email or phone, participation in conference calls to clarify requirements, and performance of a preliminary physical security assessment on a vendor’s hardware. 3. Guidance on bringing a vendors POI into compliance with the PCI CPoC standard, if areas of non-compliance are identified during the evaluation.

Solution as per PCI requirements [CPoC] Solution Provider Submits: Pilots: Solution as per Mastercard security principles

Security report from labs → MA review and risk assessment → Review by PCI Council → If approved, published to PCI website Solution Provider Receives: Pilots: Provider receives Security report and attestation from lab + MA review and risk assessment

Notes: • If any changes are made to the solution after the security review, the solution will need to be re-reviewed by a lab

© 2021 Mastercard. Proprietary and Confidential. | 7 2: Process Step 5: Pilot Agreement (Tap +PIN only) After the solution vendor has successfully completed the L2 testing and security evaluation, their chosen acquirer will sign Mastercard’s pilot agreement. For more details, reach out to [email protected].

Solution Provider Submits: Pilot Plans/Terms

Solution Provider Receives: Signed pilot agreement

Notes: • This step is only applicable for Tap +PIN solutions.

Step 6: M-TIP Testing (Level 3) 1. The acquirer orders an M-TIP service from a Mastercard accredited M-TIP Service Provider of their choice and procures a qualified M-TIP test tool. 2. The acquirer downloads the latest Test Selection Engine (TSE) software (and TSE configuration file) from Mastercard Connect, and uses it to enter the details of their CPoC solution to generate the applicable test plan. 3. The acquirer executes the test plan, using their M-TIP test tool, and records the related test results and transaction logs with TSE or their M-TIP test tool. 4. The acquirer sends the test results (TSE file) to their M-TIP Service Provider for validation. 5. An M-TIP Letter of Approval (LoA) is delivered upon successful execution of M-TIP.

TSE file → M-TIP Service Provider Acquirer Submits: Pilots: Mastercard email approval to proceed to M-TIP → M-TIP Service Provider

M-TIP Service Provider generates report for MA → MA reviews Acquirer Receives: and issues LoA

Notes: • An M-TIP test can be initiated as soon as the Tap on phone solution has been granted a Level 2 Functional TAS (Test Assessment Summary). If all the necessary security information and confirmation is shared with [email protected], a CCS (Component Conformity Statement), including functional and security evaluation confirmations, could be released by Mastercard based on customer request. • All CPoC solutions must include the MPOS indicator in transaction data; more information in FAQ on page 9. • Solution providers who successfully pilot or certify a Tap on Phone solution will need to repeat Steps 1 through 6 above for future pilots of Tap on Phone with PIN [CPoC with PIN]. • M-TIP related online sources (M-TIP Process Guide, list of M-TIP Service Providers, list of M-TIP test tools, TSE, etc.) are available to customers through the Chip and Contactless Information Center on Mastercard Connect. For more information regarding M-TIP, please contact: [email protected] or your M-TIP Service Provider.

What are Tap on Phone features? Tap on Phone runs via mobile application on many NFC-enabled Android devices to support acceptance from contactless-enabled cards and devices (e.g., smartphones and smart watches and wristbands). After consumers complete their purchases with Tap on Phone, merchants can send a paperless receipt through SMS or email, or they can print the receipt using an external printer. Acquirers can integrate Tap on Phone with additional business solutions (e.g., invoicing, inventory management, and analytics reporting) to provide incremental value to their merchant customers.

How is Tap on Phone different from other POS solutions on the market? Current solutions require additional hardware to accept digital payments. Tap on Phone enables merchants to accept contactless payments using the Android device they already own.

What are some of the use cases for Tap on Phone? • Offer alternative to purchasing dedicated POS hardware. • Support payment on delivery, displacing cash. • Provide an immediate and quality customer experience with in-aisle checkout. • Empower on-the-go vendors. • Facilitate entertainment, sporting and philanthropic events.

Why Tap on Phone? Tap on Phone is an ideal payment method for customers when they just need to pay and go. As a merchant, you can transform any enabled mobile device into a payment terminal. Each Tap on Phone transaction is protected through the same technology as dipped card transactions but provides a faster and, therefore, more pleasant customer experience.

Are Tap on Phone payments secure? Tap on Phone payments use the same security technology offered as EMV chip cards that are deployed throughout the world. 3.2 Certification and development

Would I ever need to recertify my solution? Yes, however it depends on the type of changes being made and the solution’s architecture. Please visit the PCI Security Standards Council website for more information about security changes. Changes that could impact the functional evaluation should be communicated to [email protected] for assessment.

Are there any existing SDKs available for development with Tap on Phone solutions? Yes, Mastercard has created a free Contactless Terminal SDK (including a selection module and kernel compliant to Mastercard contactless-reader specifications) that providers can utilize. Contact [email protected].

© 2021 Mastercard. Proprietary and Confidential. | 9 3: FAQs Are solutions required to go through EMVCo PCD Level 1 Approval Process? Tap on Phone solutions are currently not required to go through the EMVCo PCD Level 1 Approval Process. Mastercard is currently discussing the future criteria for Tap on Phone solutions with EMVCo.

Does the PCI CPoC standard support all EMV and magstripe transactions (contact and contactless)? No, CPoC solutions support only contactless transactions.

Does the PCI CPoC standard support offline transactions? No, CPoC only supports only online transactions.

Do PCI CPoC Solutions require Mastercard approval? As of December 4, 2019, all Tap on Phone solutions are to be reviewed and approved by a PCI-recognized CPoC laboratory. There is no further or additional security evaluation or pilot approval by Mastercard.

Do PCI CPoC solutions require M-TIP approval for use with Mastercard acceptance? Yes, all MPOS solutions accepting Mastercard require M-TIP certification.

Does the PCI CPoC standard support PIN-required transactions? What happens with transactions over the CVM limit? No, the PCI CPoC standard does not currently support PIN-required transactions. Those transactions are out of scope for approved PCI CPoC Solutions and any alternatives to PIN-entry will be regulated by the corresponding standard (e-commerce, MPOS, etc.).

Are the Mastercard-approved security laboratories the same as PCI CPoC recognized laboratories? No, some laboratories are approved by both the PCI Council for CPoC security evaluations and Mastercard, while others are not. Please, review the list of PCI-recognized CPoC laboratories on the PCI website: https://www.pcisecuritystandards.org/assessors_and_solutions/pci_recognized_laboratories.

What is the MPOS indicator requirement? Overview: Mastercard is introducing new MPOS indicators in authorization and clearing messages to differentiate between software- and hardware-based MPOS terminals and PIN entry support. Hardware-based MPOS terminals are PCI-compliant card reader accessories (dongles) with a hardware-based PIN pad paired with a merchant’s mobile device. Software-based MPOS solutions take advantage of merchant’s off-the-shelf mobile devices for either PIN entry or for acceptance of contactless transactions, thus reducing the cost of payment terminals and promoting card acceptance. Requirements variations for MPOS: Requirements applicable to regular POS terminals are slightly adapted to MPOS due to technology constraints, or different use cases for this type of terminal. The most important ones can be summarized as follows: - Support of contact magstripe is made optional for MPOS in Europe Region (RA001.18 not applicable to MPOS) (soon to be extended to rest of world) - Support of signature (on both contact and contactless interfaces) and receipt printing has been made optional for MPOS (ref to AN_1712)

- MPOS transactions must be identified in authorization messages: o DE 61 subfield 10 (Cardholder-Activated Terminal Level) must be set to ‘9’ (MPOS Acceptance Device) - Additional fields may be configured for software MPOS, as introduced in AN_1626: o DE 22 subfield 2 (PIN entry Capability) should be set to: ▪ ‘1’ (Terminal has PIN Entry Capability) or ▪ ‘2’ (Terminal does not have PIN entry capability) or ▪ ‘3’ (MPOS Software-based PIN Entry Capability) o DE 48 sub element 21 subfield 1(Acceptance Data) should be set to: ▪ ‘0’ (Dedicated MPOS Terminal with PCI compliant dongle (with or without keypad)) or ▪ ‘1’ (Off the Shelf Mobile Device)

PIN entry Capability Acceptance Data DE22 SF2 DE48 SE21 SF1

Hybrid MPOS ‘1’4 ‘0’ SPoC ‘3’ ‘0’ CPoC ‘2’ ‘1’ CPoC w/ PIN ‘3’ ‘1’

Does Mastercard have sound and animation brand requirements? We recommend that developers of Tap on Phone solutions integrate Mastercard's optional Checkout Sound and Animation assets into their solutions.

Checkout Sound and Animation is a unique optional set of notes used to signal the approval of a Mastercard payment transaction in both physical and digital POI environments. One of the primary use cases for the sound is at the time of transaction approval at a POS. The Checkout Animation has been designed to accompany the Checkout Sound in physical and digital POI environments. The Checkout Animation begins with the Mastercard Symbol, which with active movement, evolves to create an illusion of motion when the animation is shown as a sequence, turning the Mastercard Symbol into a checkmark.

Benefits of Checkout Sound and Animation:

• Consumer Transparency: At checkout, consumers seek reassurance that their transaction is both complete and protected. Audio confirmation, in addition to a visual cue, can add to consumers’ trust in both the payment method and the Merchant. Sound has the power to connect people’s hearts and minds to create lasting associations.

• Consumer Trust: Mastercard’s Checkout Sound and Animation at checkout can help Partners strengthen consumers' trust when they’re completing a purchase. It can give them peace of mind that their payment was approved.

• Consistency: Mastercard Checkout Sound and Animation at checkout will have a consistent presence, transaction after transaction, wherever consumers encounter Mastercard— at the point-of-sale. Wherever it appears, it signals the trust consumers already have in Mastercard, which can translate to trust and loyalty for Partners. Please email [email protected] to receive the Mastercard Sonic Brand at Checkout Partner Integration Guide and Technical Standards

© 2021 Mastercard. Proprietary and Confidential. | 11 3: FAQs 3.3 Merchant-focused How do I know if a customer can pay via Tap on Phone? Physical Card: Look for the contactless indicator on the card – it’s usually on the front but may be on the back. If you do not see the waves, the card won’t be able to tap. Device: If the customer has a mobile wallet (e.g., a Mobile Banking issuer application with NFC capabilities: Apple Pay®, Samsung Pay®, Google Pay®), they can Tap & Go® if they have previously loaded their card into their mobile wallet. Only the customer will know if they have done this.

Where does the customer tap? The customer should take out their NFC card or enabled device, identify the NFC antenna and hold it in proximity until the payment has been accepted. If available, a sticker can help indicate where the NFC antenna is located.

What if the transaction does not process? Make sure your device has a data connection available/active, check that the mobile device cover is removed and retry tapping.

Which operating systems are supported? Tap on Phone software has only been developed on Android devices; however, other OS devices could choose to support Tap on Phone in the future.

Do Tap on Phone solutions support all payment brands (Mastercard, Visa, etc.)? A solution can support other payment brands if it is built with the brand’s EMV kernel and is approved by the brand. 3.4 Pilots What’s happening with existing Tap on Phone pilots? Mastercard aims to continue supporting its clients and assuring the continuity of existing projects/pilots. Any solutions that as of December 4, 2019, were in pilot phase or in the final steps of security evaluation and pilot approval will be evaluated and reviewed by Mastercard’s security and acceptance teams to adjust the pilot agreement, allowing a reasonable time frame for PCI CPoC certification without altering the continuity of the acquiring business.

Can I start a new Tap on Phone pilot? No, all Tap on Phone solutions that as of December 4, 2019, had not initiated a security evaluation with an accredited laboratory for pilot approval under Mastercard documentation will be required to submit their solution to a recognized PCI CPoC laboratory for evaluation under the newly established PCI CPoC standard.

© 2021 Mastercard. Proprietary and Confidential. | 12 3: FAQs How do I start a new Tap on Phone with PIN pilot? Mastercard is aware of the current status of Tap on Phone technology and the existence of Tap on Phone with PIN solutions that have been offered by several technology providers. We are supporting ToP with PIN pilots and Mastercard-approved laboratories will continue evaluating any ToP with PIN solution under the Mastercard Security Principles document (“Embedded Contactless Reading with PIN for MPOS Pilots”). Baseline CPoC compliance for Tap +PIN is not expected, but is recommended as it might enable solution providers to go to market faster once PCI standards for Tap +PIN are in place.

All third-party trademarks are the property of their respective owners. Mastercard, Tap & Go®, and Mastercard Connect are registered trademarks, and the circles design is a trademark, of Mastercard International Incorporated. © 2021 Mastercard. All rights reserved.

Contactless payments: A payment method that enables consumers to purchase products and services via debit/credit card or mobile devices that use Near Field Communication. CPoC: Contactless Payments on COTS, also known as Tap on Phone without PIN. COTS: Commercial off-the-shelf device. A mobile device (e.g., smartphone or tablet) that is designed for mass- market distribution. Electronic payments: A transaction processed by an electronic medium, as opposed to a cash transaction or payment by paper checks. EMV®: A global standard for cards that uses chip technology to authenticate (and secure) chip-card transactions, taking its name from the card schemes that developed it – Europay, Mastercard, and Visa. Level 1 Testing: Level 1 (L1) testing is an EMV specification for cards, acceptance devices and mobile phones (in card emulation mode) and is a requirement on NFC mobile device vendors. L1 certification ensures that the device meets the lower-level electromagnetic and communication requirements. It includes operating distance tests, in which reference cards are placed at a set of predefined positions in proximity to the device’s antenna. Level 2 Testing: Level 2 (L2) certification validates the software, which implements the payment functionality that runs on the EMV-approved device. This software is referred to as a payment “contactless kernel” (also includes the application selection module). The supported contactless payment schemes (Mastercard/Maestro, Visa, American Express, etc.) determine which of the payment kernels will be implemented. MPOS: Mobile point of sale, including mobile devices, tablets and wireless portables. M-TIP testing: M-TIP (also known as Level 3 certification) ensures that the configuration of the software on the device and the acquiring chain, including the acquirer host and the connection to Mastercard, meet the Mastercard brand requirements. Near field communication (NFC): The technology that allows two contactless enabled devices (credit card, mobile phones) and payment terminals to contact each other when they are in range, (e.g., contactless payments). PCI DSS: The Data Security Standard published and maintained by the Payment Card Industry Security Standards Council. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. Security review: Following publication of the PCI CPoC standard by the PCI Council in December 2019, all solution providers of Tap on Phone [PCI CPoC] solutions are required to submit their solution to a PCI-recognized CPoC security laboratory for evaluation under the PCI CPoC standard. A list of PCI-recognized security laboratories is available on the PCI website. Software Development Kit: A tool that allows solution providers to integrate third-party features into their own software, apps or platforms.

Mastercard Resources: 1. Tap on Phone Merchant Guide 2. Tap on Phone Pilot Case Studies 3. Tap on Phone Go-to-Market Guide 4. Tap on Phone Kernel SDK1

Please visit Mastercard’s Mobile Point-of-Sale Website to gain access to guides and case studies.

PCI Documents: Tap on Phone without PIN [CPoC] 1. PCI Security and Test Requirements 2. PCI Program Guide 3. PCI Technical FAQs

______1. Mastercard’s Tap on Phone Kernel SDK information and request form can be found HERE.